LDAP+KERBEROS server configuration

Question

I am following this guide to setup up kerberos server. the system configuration for kerberos server is below, can someone help me to resolve the issue, any help will be appreciated.

Here is the problem I'm seeing:

root@openldap ~# kadmin -p admin
Authenticating as principal admin with password.
kadmin: Cannot resolve network address for admin server in requested realm while initializing kadmin interface

...and relevant system information/configuration:

root@openldap ~# uname -a
Linux openldap 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u3 x86_64 GNU/Linux
root@openldap ~# cat /etc/hosts
127.0.0.1 localhost
10.5.126.24:464 krb.ixsystems.com

#Required for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
root@openldap ~# cat /etc/krb5.conf
[libdefaults]
    default_realm = IXSYSTEMS.COM
        forwardable = true
        proxiable = true

[realms]
    IXSYSTEMS.COM = {
        kdc = kdc1.ixsystems.com
        admin_server = krb.ixsystems.com
    }

[domain_realm]
    .ixsystems.com = IXSYSTEMS.COM
    ixsystems.com = IXSYSTEMS.COM

[logging]
    kdc = FILE:/var/log/krb5/kdc.log
    admin_server = FILE:/var/log/krb5/kadmin.log
    default = FILE:/var/log/krb5/kadmin.log

# The following krb5.conf variables are only for MIT Kerberos.
    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#   default_tgs_enctypes = des3-hmac-sha1
#   default_tkt_enctypes = des3-hmac-sha1
#   permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
    v4_instance_resolve = false
    v4_name_convert = {
        host = {
            rcmd = host
            ftp = ftp
        }
        plain = {
            something = something-else
        }
    }
    fcc-mit-ticketflags = true

[realms]
    IXSYSTEMS.COM = {
        kdc = kdc1.ixsystems.com
        admin_server = krb.ixsystems.com
    }
    ATHENA.MIT.EDU = {
        kdc = kerberos.mit.edu:88
        kdc = kerberos-1.mit.edu:88
        kdc = kerberos-2.mit.edu:88
        admin_server = kerberos.mit.edu
        default_domain = mit.edu
    }
    MEDIA-LAB.MIT.EDU = {
        kdc = kerberos.media.mit.edu
        admin_server = kerberos.media.mit.edu
    }
    ZONE.MIT.EDU = {
        kdc = casio.mit.edu
        kdc = seiko.mit.edu
        admin_server = casio.mit.edu
    }
    MOOF.MIT.EDU = {
        kdc = three-headed-dogcow.mit.edu:88
        kdc = three-headed-dogcow-1.mit.edu:88
        admin_server = three-headed-dogcow.mit.edu
    }
    CSAIL.MIT.EDU = {
        kdc = kerberos-1.csail.mit.edu
        kdc = kerberos-2.csail.mit.edu
        admin_server = kerberos.csail.mit.edu
        default_domain = csail.mit.edu
        krb524_server = krb524.csail.mit.edu
    }
    IHTFP.ORG = {
        kdc = kerberos.ihtfp.org
        admin_server = kerberos.ihtfp.org
    }
    GNU.ORG = {
        kdc = kerberos.gnu.org
        kdc = kerberos-2.gnu.org
        kdc = kerberos-3.gnu.org
        admin_server = kerberos.gnu.org
    }
    1TS.ORG = {
        kdc = kerberos.1ts.org
        admin_server = kerberos.1ts.org
    }
    GRATUITOUS.ORG = {
        kdc = kerberos.gratuitous.org
        admin_server = kerberos.gratuitous.org
    }
    DOOMCOM.ORG = {
        kdc = kerberos.doomcom.org
        admin_server = kerberos.doomcom.org
    }
    ANDREW.CMU.EDU = {
        kdc = kerberos.andrew.cmu.edu
        kdc = kerberos2.andrew.cmu.edu
        kdc = kerberos3.andrew.cmu.edu
        admin_server = kerberos.andrew.cmu.edu
        default_domain = andrew.cmu.edu
    }
    CS.CMU.EDU = {
        kdc = kerberos.cs.cmu.edu
        kdc = kerberos-2.srv.cs.cmu.edu
        admin_server = kerberos.cs.cmu.edu
    }
    DEMENTIA.ORG = {
        kdc = kerberos.dementix.org
        kdc = kerberos2.dementix.org
        admin_server = kerberos.dementix.org
    }
    stanford.edu = {
        kdc = krb5auth1.stanford.edu
        kdc = krb5auth2.stanford.edu
        kdc = krb5auth3.stanford.edu
        master_kdc = krb5auth1.stanford.edu
        admin_server = krb5-admin.stanford.edu
        default_domain = stanford.edu
    }
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca
    }

[domain_realm]
    .mit.edu = ATHENA.MIT.EDU
    mit.edu = ATHENA.MIT.EDU
    .media.mit.edu = MEDIA-LAB.MIT.EDU
    media.mit.edu = MEDIA-LAB.MIT.EDU
    .csail.mit.edu = CSAIL.MIT.EDU
    csail.mit.edu = CSAIL.MIT.EDU
    .whoi.edu = ATHENA.MIT.EDU
    whoi.edu = ATHENA.MIT.EDU
    .stanford.edu = stanford.edu
    .slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA

[login]
    krb4_convert = true
    krb4_get_tickets = false
root@openldap ~# netstat -nlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:749             0.0.0.0:*               LISTEN      2061/kadmind    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2104/lighttpd   
tcp        0      0 0.0.0.0:464             0.0.0.0:*               LISTEN      2061/kadmind    
tcp        0      0 0.0.0.0:754             0.0.0.0:*               LISTEN      2299/xinetd     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2266/sshd       
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      2104/lighttpd   
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      2191/slapd      
tcp        0      0 0.0.0.0:12320           0.0.0.0:*               LISTEN      2176/shellinaboxd
tcp        0      0 0.0.0.0:12321           0.0.0.0:*               LISTEN      2363/perl       
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      2191/slapd      
tcp6       0      0 :::749                  :::*                    LISTEN      2061/kadmind    
tcp6       0      0 :::80                   :::*                    LISTEN      2104/lighttpd   
tcp6       0      0 :::464                  :::*                    LISTEN      2061/kadmind    
tcp6       0      0 :::22                   :::*                    LISTEN      2266/sshd       
tcp6       0      0 :::636                  :::*                    LISTEN      2191/slapd      
tcp6       0      0 :::389                  :::*                    LISTEN      2191/slapd      
udp        0      0 0.0.0.0:464             0.0.0.0:*                           2061/kadmind    
udp        0      0 0.0.0.0:750             0.0.0.0:*                           2809/krb5kdc    
udp        0      0 0.0.0.0:750             0.0.0.0:*                           2035/krb5kdc    
udp        0      0 0.0.0.0:12321           0.0.0.0:*                           2363/perl       
udp        0      0 0.0.0.0:88              0.0.0.0:*                           2809/krb5kdc    
udp        0      0 0.0.0.0:88              0.0.0.0:*                           2035/krb5kdc    
udp        0      0 10.5.126.24:123         0.0.0.0:*                           2133/ntpd       
udp        0      0 127.0.0.1:123           0.0.0.0:*                           2133/ntpd       
udp        0      0 0.0.0.0:123             0.0.0.0:*                           2133/ntpd       
udp6       0      0 fe80::20c:29ff:fe03:750 :::*                                2809/krb5kdc    
udp6       0      0 fe80::20c:29ff:fe03::88 :::*                                2809/krb5kdc    
udp6       0      0 fe80::20c:29ff:fe03:123 :::*                                2133/ntpd       
udp6       0      0 ::1:123                 :::*                                2133/ntpd       
udp6       0      0 :::123                  :::*                                2133/ntpd       
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING     5645     2191/slapd          /var/run/slapd/ldapi
unix  2      [ ACC ]     STREAM     LISTENING     5431     2009/acpid          /var/run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     5535     2106/php-cgi        /var/run/lighttpd/php.socket-0
unix  2      [ ACC ]     SEQPACKET  LISTENING     3311     324/udevd           /run/udev/control

Answer 1

The text

Cannot resolve network address for admin server

suggests your DNS is not configured fully.

What do the DNS entries on your network show? Namely, what addresses do you have configured for (kdc1.ixsystems.com) and (krb.ixsystems.com) on the internal network? (And are you running the domain name server on this machine or another one)?

For instance, google's DNS shows ixsystems.com at 64.71.187.9

Also, the second heading of [realms] and [domain_realm] is unnecessary in your configuration.

Answer 2

It seems to me that your kadmin tool cannot find its admin server. The DNS-message you get is most likely because kadmin trys to find its admin server via dns service record, which is not used at the moment

 _kerberos-adm._tcp
This should list port 749 on your master KDC. Support for it is not complete at this time, but it will eventually be used by the kadmin program and related utilities. For now, you will also need the admin_server entry in krb5.conf.

since you have an admin-server configured in your krb5.conf it's probably an issue with your dns.

your /etc/hosts contains

10.5.126.24:464 krb.ixsystems.com

that port notation is afaik wrong, and even if it's not, you need port 749 (tcp) for kadmin.

So remove that :464 and try again,

I would strongly recommend using a dns server together with kerberos, you'll run into way more trouble keeping hosts-files in sync than it is to setup a bind or dnsmasq or pdns...